Hi,
I’m posting this because something really serious has happened to my friend’s account, and honestly it feels way beyond a normal “contact support” situation at this point.
The username is 2_6l.
His account was compromised. The attacker changed the email/number etc on the account, took control of it, stole/sold off his limiteds and Robux, and then started using the account to do malicious things such as creating groups with inappropriate terms & icons. From what we saw, they were even trying to use the account in ways that could get him terminated, including uploading NSFW content and generally making the account look as bad as possible.
This wasn’t some small loss either. He lost extremely valuable items amounting to over 700K+ Robux
After contacting Roblox Support, he finally managed to get somewhere. The details change was reverted, 2FA was reset, and it looked like the account had been recovered.
But then, only a few hours later, somehow the account was reverted back to the attacker’s details again.
That is the part that is genuinely alarming.
It makes no sense that someone can go through the support process, get the email changed back, regain access, and then the attacker somehow ends up back in control again almost immediately after. At that point it starts to feel like the account was never actually secured properly in the first place.
and that there’s a serious flaw in the recovery flow if they allow an email address that has only been for 1 day in the account since the creation of this post to revert
So from the outside, this looks like one of these things happened:
• the attacker still had some kind of access that wasn’t removed
• the recovery process didn’t fully secure the account
• something got rolled back incorrectly
• or there’s obviously a flaw in the account recovery process
That’s why I’m posting here. I know DevForum is not meant to replace support, but this really feels like the kind of issue that should be looked at by actual staff because it goes beyond a normal support ticket. Losing items is already bad enough, but recovering an account and then somehow having it handed back to the attacker again is on another level.
I really hope someone at Roblox can take a serious look at this, because if this can happen once, it can probably happen to other people too.
This whole situation has been ridiculous and honestly pretty disturbing to watch.
Thanks.